Boosting Transferability of Targeted Adversarial Examples via Hierarchical Generative Networks

• URL: http://arxiv.org/abs/2107.01809v1
• Date: Mon, 5 Jul 2021 06:17:47 GMT
• Title: Boosting Transferability of Targeted Adversarial Examples via Hierarchical Generative Networks
• Authors: Xiao Yang, Yinpeng Dong, Tianyu Pang, Hang Su, Jun Zhu
• Abstract summary: Transfer-based adversarial attacks can effectively evaluate model robustness in the black-box setting. We propose a conditional generative attacking model, which can generate the adversarial examples targeted at different classes. Our method improves the success rates of targeted black-box attacks by a significant margin over the existing methods.
• Score: 56.96241557830253
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Transfer-based adversarial attacks can effectively evaluate model robustness in the black-box setting. Though several methods have demonstrated impressive transferability of untargeted adversarial examples, targeted adversarial transferability is still challenging. The existing methods either have low targeted transferability or sacrifice computational efficiency. In this paper, we develop a simple yet practical framework to efficiently craft targeted transfer-based adversarial examples. Specifically, we propose a conditional generative attacking model, which can generate the adversarial examples targeted at different classes by simply altering the class embedding and share a single backbone. Extensive experiments demonstrate that our method improves the success rates of targeted black-box attacks by a significant margin over the existing methods -- it reaches an average success rate of 29.6\% against six diverse models based only on one substitute white-box model in the standard testing of NeurIPS 2017 competition, which outperforms the state-of-the-art gradient-based attack methods (with an average success rate of $<$2\%) by a large margin. Moreover, the proposed method is also more efficient beyond an order of magnitude than gradient-based methods.

Related papers

• Hard-label based Small Query Black-box Adversarial Attack [2.041108289731398]
  We propose a new practical setting of hard label based attack with an optimisation process guided by a pretrained surrogate model. We find the proposed method achieves approximately 5 times higher attack success rate compared to the benchmarks.
  arXiv  Detail & Related papers  (2024-03-09T21:26:22Z)
• Enhancing Adversarial Attacks: The Similar Target Method [6.293148047652131]
  adversarial examples pose a threat to deep neural networks' applications. Deep neural networks are vulnerable to adversarial examples, posing a threat to the models' applications and raising security concerns. We propose a similar targeted attack method named Similar Target(ST)
  arXiv  Detail & Related papers  (2023-08-21T14:16:36Z)
• Logit Margin Matters: Improving Transferable Targeted Adversarial Attack by Logit Calibration [85.71545080119026]
  Cross-Entropy (CE) loss function is insufficient to learn transferable targeted adversarial examples. We propose two simple and effective logit calibration methods, which are achieved by downscaling the logits with a temperature factor and an adaptive margin. Experiments conducted on the ImageNet dataset validate the effectiveness of the proposed methods.
  arXiv  Detail & Related papers  (2023-03-07T06:42:52Z)
• Making Substitute Models More Bayesian Can Enhance Transferability of Adversarial Examples [89.85593878754571]
  transferability of adversarial examples across deep neural networks is the crux of many black-box attacks. We advocate to attack a Bayesian model for achieving desirable transferability. Our method outperforms recent state-of-the-arts by large margins.
  arXiv  Detail & Related papers  (2023-02-10T07:08:13Z)
• Query Efficient Cross-Dataset Transferable Black-Box Attack on Action Recognition [99.29804193431823]
  Black-box adversarial attacks present a realistic threat to action recognition systems. We propose a new attack on action recognition that addresses these shortcomings by generating perturbations. Our method achieves 8% and higher 12% deception rates compared to state-of-the-art query-based and transfer-based attacks.
  arXiv  Detail & Related papers  (2022-11-23T17:47:49Z)
• Transferability Ranking of Adversarial Examples [20.41013432717447]
  This paper introduces a ranking strategy that refines the transfer attack process. By leveraging a set of diverse surrogate models, our method can predict transferability of adversarial examples. Using our strategy, we were able to raise the transferability of adversarial examples from a mere 20% - akin to random selection-up to near upper-bound levels.
  arXiv  Detail & Related papers  (2022-08-23T11:25:16Z)
• Query-Efficient Black-box Adversarial Attacks Guided by a Transfer-based Prior [50.393092185611536]
  We consider the black-box adversarial setting, where the adversary needs to craft adversarial examples without access to the gradients of a target model. Previous methods attempted to approximate the true gradient either by using the transfer gradient of a surrogate white-box model or based on the feedback of model queries. We propose two prior-guided random gradient-free (PRGF) algorithms based on biased sampling and gradient averaging.
  arXiv  Detail & Related papers  (2022-03-13T04:06:27Z)
• Improving Adversarial Transferability with Gradient Refining [7.045900712659982]
  Adversarial examples are crafted by adding human-imperceptible perturbations to original images. Deep neural networks are vulnerable to adversarial examples, which are crafted by adding human-imperceptible perturbations to original images.
  arXiv  Detail & Related papers  (2021-05-11T07:44:29Z)
• Adversarial example generation with AdaBelief Optimizer and Crop Invariance [8.404340557720436]
  Adversarial attacks can be an important method to evaluate and select robust models in safety-critical applications. We propose AdaBelief Iterative Fast Gradient Method (ABI-FGM) and Crop-Invariant attack Method (CIM) to improve the transferability of adversarial examples. Our method has higher success rates than state-of-the-art gradient-based attack methods.
  arXiv  Detail & Related papers  (2021-02-07T06:00:36Z)
• Two Sides of the Same Coin: White-box and Black-box Attacks for Transfer Learning [60.784641458579124]
  We show that fine-tuning effectively enhances model robustness under white-box FGSM attacks. We also propose a black-box attack method for transfer learning models which attacks the target model with the adversarial examples produced by its source model. To systematically measure the effect of both white-box and black-box attacks, we propose a new metric to evaluate how transferable are the adversarial examples produced by a source model to a target model.
  arXiv  Detail & Related papers  (2020-08-25T15:04:32Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.